There exist secure access systems for performing two-factor authentication for a user to a network resource (e.g., remote servers, electronically locked access points, etc.). One exemplary two-factor authentication system is The RSA SecurID® authentication mechanism by EMC Corporation of Bedford Mass. This exemplary system consists of a “token”—either hardware (e.g. a USB dongle) or software (a soft token)—which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded random key (known as the “seed record”). The seed record is different for each token, and is loaded into the corresponding system server as the tokens are purchased. The user authenticating must enter a personal identification number (PIN) and the generated authentication code being displayed at that moment.
However there have been the major breaches such systems, such as the breach of RSA in 2011, culminating in the loss of sensitive data from major corporations to unknown sources. Knowing the seed records, affords an attacker complete access to a user's information and access to anything they may use with their keys.
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP can be used for signing, encrypting and decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications. PGP, and other Private Key Encryption methods, are very secure, as long as certain circumstances remain true. In any private key exchange, if they private key is lost, stolen or misplaced, the user data is completely open. Conversely, if the user loses the key, the data they are protecting is lost forever. So, the tradeoff is apparent.
Numerous techniques have been proposed in the literature to deal with the problem of identity theft. Any such scheme tries to establish that a person is who she/he claims to be. Passwords, (long) private keys, and camouflaging are some of the approaches used for this purpose. Since human beings cannot remember long keys, private keys often tend to be stored in a wallet encrypted by possibly a small password. Unfortunately, all of these schemes have the property that someone who carries these credentials (such as the right keys and passwords) will be accepted as the right person even if these credentials have been stolen from others.
As a biometric is a biological characteristic (such as a fingerprint, the geometry of a hand, Retina pattern, iris shape, etc.) of an individual, biometric techniques can be used as an additional verification factor since biometrics are usually more difficult to obtain than other non-biometric credentials. Biometrics can be used for identification and/or authentication (also referred to as identity assertion and/or verification).
Biometric identity assertion can require a certain level of security as dictated by the application. For example, authentication in connection with a financial transaction or gaining access to a secure location requires higher security levels. As a result, preferably, the accuracy of the biometric representation of a user is sufficient to ensure that the user is accurately authenticated and security is maintained. However, to the extent iris, face, finger, and voice identity assertion systems exist and provide the requisite level of accuracy, such systems require dedicated devices and applications and are not easily implemented on conventional smartphones, which have limited camera resolution and light emitting capabilities.
The challenges surrounding traditional biometric feature capture techniques, which generally require high resolution imagery, multi-spectral lighting and significant computing power to execute the existing image analysis algorithms to achieve the requisite accuracy dictated by security have made biometric authentication not widely available or accessible to the masses. Moreover, traditional biometric authentication techniques requiring dedicated devices used in a specific way (e.g., require a cooperative subject, have a narrow field of view, biometric must be obtained in a specific way) detracts from user convenience and wide-scale implementation.
Accordingly, there is a need for systems and methods with which a user's identity can be verified conveniently, seamlessly, and with a sufficient degree of accuracy, from biometric information captured from the user using readily available smartphones. In addition, what is needed are identity assertion systems and methods that, preferably, are not reliant on multi-spectral imaging devices, multi-spectral light emitters, high resolution cameras, or multiple user inputs.